2026
Journal Article
Title

Certification as a compensation mechanism for weak regulation? Exploring the diffusion of the international standard ISO/IEC 27001 for information security management

Abstract
Safeguarding information security has become a key managerial responsibility. The standard "Information security, cybersecurity and privacy protection - Information security management systems - Requirements" (ISO/IEC 27001) specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability through risk management and security controls. While the number of valid certifications has grown significantly over time, adoption rates vary widely across countries. Drawing on signaling theory, we present the first comprehensive global study of ISO/IEC 27001 diffusion, with a particular focus on the influence of regulatory frameworks and international trade. Based on regression analyses covering 128 countries having implemented ISO/IEC 27001 between 2006 and 2017, our findings suggest that organizations may use ISO/IEC 27001 certification as a signaling mechanism, especially in environments with less stringent regulatory frameworks.
Author(s)
Mirtsch, Mona
Technische Universität Berlin, Fachgebiet Innovationsökonomie
Pohlisch, Jakob
Technische Universität Berlin, Fachgebiet Innovationsökonomie
Blind, Knut  orcid-logo
Fraunhofer-Institut für System- und Innovationsforschung ISI  
Journal
Open Access
File(s)
Rights
CC BY 4.0: Creative Commons Attribution
DOI
Additional link
Language
English
Keyword(s)